Technical Field
This disclosure relates generally to identifying and remediating application vulnerabilities using static analysis tools.
Background of the Related Art
Today, most organizations depend on web-based software and systems to run their business processes, conduct transactions with suppliers, and deliver sophisticated services to customers. Unfortunately, many organizations invest little to no effort in ensuring that those applications are secure. Web-based systems can compromise the overall security of organizations by introducing vulnerabilities that hackers can use to gain access to confidential company information or customer data.
To address this deficiency, static analysis tools and services have been developed. Static security analysis (or “static analysis” for short) solutions help organization address web and mobile application vulnerabilities through a secure-by-design approach. This approach embeds security testing into the software development lifecycle itself, providing organizations with the tools they require to develop more secure code. Static analysis tools are often used by computer software developers to provide information about computer software while applying only static considerations (i.e., without executing a computer software application). Such tools simplify remediation by identifying vulnerabilities in web and mobile applications prior to their deployment, generating results (reports and fix recommendations) through comprehensive scanning, and combining advanced dynamic and innovative hybrid analyses of glass-box testing (run-time analysis, also known as integrated application security testing) with static taint analysis for superior accuracy. Static analysis may be implemented as a standalone (e.g., desktop) tool “on-premises,” or provided “as a service,” using cloud-based resources. A representative commercial offering of this type is IBM® Security AppScan®, which enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance.
Advanced persistent threats (APTs) refer to a category of high-risk threats to a computing entity (e.g. a server) by so-called threat actors. Data exfiltration (also known as data extrusion) is the primary goal of this malicious activity; typically, it refers to the unauthorized transfer of sensitive information from a target's network to a location that a threat actor controls. APT mitigation solutions, such as IBM® Trusteer Apex, provide automated systems and method to address data exfiltration and other attacks, such as zero day application exploits. These types of system work by analyzing application state and understanding what the application is doing and why it is doing it. Trusteer Apex can automatically and accurately determine if an application action is legitimate or malicious. Typically, it is deployed and enforced on managed and unmanaged endpoints in an enterprise environment to prevent exploits and malware from compromising those endpoints and extracting information.
APT mitigation solutions such as described identify data exfiltration, among other methods, by seeing that an untrusted executable reads information that is potentially sensitive, and then connects to a remove system and sends it information. While the approach works well, in certain circumstances, such as a custom application, this methodology results in a false positive. In particular, although the custom application is reading information, what it may then send to the remote location may be completely unrelated to the read activity.
Thus, there is a need to reduce false positives by an APT mitigation solution.